Understood. My requirements were targeted for pure MarkLogic application development with a fine level of marklogic security, with no java front end.
I agree that keeping the integration at the XCC level is easier, but when roles/groups and their combinatorial mixes grow too large across multiple applications, doing it user-for-user becomes cleaner. Such is our case. I do agree that if this is not your case, your roles are simple, and you have a Java front-end-app, doing it at that level would be preferable. Nonetheless our Open SSO integration still goes with the concept of combinatorial mixes of roles across our many applications making user-for-user caching a simpler solution. David J. Steiner Principal Engineer [email protected] -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Geert Josten Sent: Tuesday, October 06, 2009 10:09 AM To: General Mark Logic Developer Discussion Subject: RE: [MarkLogic Dev General] Integration with single sign on anddirectory services? Hi Jeroen, David, You make it easier for yourself by not doing user management in MarkLogic Server at all. Just leave authentication and most authorization to the Java layer and only distinguish on user roles within MarkLogic database if that makes sense. That makes replacing the authentication back-end much easier, and would allow reusing the Java-code for other back-end systems at the same time.. If you need to keep user data separate, then you can do that with directories or collections. You don't need the full MarkLogic security layer for that, per sé.. Kind regards, Geert > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > David Steiner > Sent: dinsdag 6 oktober 2009 17:57 > To: General Mark Logic Developer Discussion > Subject: RE: [MarkLogic Dev General] Integration with single > sign on anddirectory services? > > Hi, > > We are doing authentication and authorization against LDAP > and also behind Open SSO connected to LDAP for fully > MarkLogic web apps and services, but it is not a trivial > matter. It requires external web services to access LDAP or > in the case of Open SSO a significant amount of > infrastructure there as well. > > In addition, there is significant code written in XQuery to > support stable / cross application sessions, user profile > management, and user creation / management to make this > possible within MarkLogic. > > We are caching the roles and other user information in > MarkLogic, but only on a brief session basis. Users are even > cleaned out of ML if not accessed for an extended period of > time because we have multi-millions of users. If not done > this way, then synchronization can become an issue. > > We are using a Java / Jetty based solution to access LDAP as > a web service from within MarkLogic for getting the user > profile and roles information when not fronted with Open SSO. > > For more information, we may want to take this offline, > perhaps with some phone time. > > David J. Steiner > Principal Engineer > [email protected] > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > Jeroen Pulles > Sent: Tuesday, October 06, 2009 9:17 AM > To: General Mark Logic Developer Discussion > Subject: Re: [MarkLogic Dev General] Integration with single > sign on anddirectory services? > > Hi Geert and others, > > > It mainly depends on where you need access to the > permissions/privileges/users, and what artifacts are already > in place. It is not uncommon to have user administration in > an LDAP server. In that case you don't want to replicate all > user info into MarkLogic database, as that would involve > continuous synchronisation. > > In this particular case, there are +1000 users that > authenticate against a +10000 users identity provider, so > there's a real benefit in using that existing infrastructure. > > > If you want to fully utilize the security layer of MarkLogic, then > > perform all authentication and authorisation against the MarkLogic > > database. Should be that very difficult, though there is no > LDAP api > > for connecting to MarkLogic. (Perhaps a nice to have? ;) > > No, I'd want it the other way round and have MarkLogic use an > existing directory service and authentication provider. The > MarkLogic users are only a subset of the complete user database. > > Am I right in believing that Mark Logic Server does not > support application-external authentication and role mapping? > > regards, > Jeroen > > > 2009/10/5 Geert Josten <[email protected]>: > > Hi Jeroen, > > > > It mainly depends on where you need access to the > permissions/privileges/users, and what artifacts are already > in place. It is not uncommon to have user administration in > an LDAP server. In that case you don't want to replicate all > user info into MarkLogic database, as that would involve > continuous synchronisation. > > > > If you want to fully utilize the security layer of MarkLogic, then > > perform all authentication and authorisation against the MarkLogic > > database. Should be that very difficult, though there is no > LDAP api > > for connecting to MarkLogic. (Perhaps a nice to have? ;) > > > > Kind regards, > > Geert > > > >> > > > > > > Drs. G.P.H. Josten > > Consultant > > > > > > http://www.daidalos.nl/ > > Daidalos BV > > Source of Innovation > > Hoekeindsehof 1-4 > > 2665 JZ Bleiswijk > > Tel.: +31 (0) 10 850 1200 > > Fax: +31 (0) 10 850 1199 > > http://www.daidalos.nl/ > > KvK 27164984 > > De informatie - verzonden in of met dit emailbericht - is > afkomstig van Daidalos BV en is uitsluitend bestemd voor de > geadresseerde. Indien u dit bericht onbedoeld hebt ontvangen, > verzoeken wij u het te verwijderen. Aan dit bericht kunnen > geen rechten worden ontleend. > > > > > >> From: [email protected] > >> [mailto:[email protected]] On Behalf > Of Jeroen > >> Pulles > >> Sent: maandag 5 oktober 2009 15:30 > >> To: General Mark Logic Developer Discussion > >> Subject: [MarkLogic Dev General] Integration with single > sign on and > >> directory services? > >> > >> Hi, > >> > >> What are the possibilities for Mark Logic Server to > integrate with a > >> single sign on (SSO) system for user authentication and directory > >> services for mapping group membership to Mark Logic roles? I am > >> specifically interested in integration with a SAML 2.0 environment. > >> > >> My application has a Java layer in place in front of Mark > Logic. All > >> access to Mark Logic Server is done over the XCC > connector. I /could/ > >> do all privilege and permission control in the Java layer. > That seem > >> to be a waste to me as ML newbie, however, since the > >> permissions/privilege functionality is just what I want for my > >> document management. > >> And I don't want to end up duplicating existing document > >> permissions/privilege functionality. > >> > >> Any advice? > >> > >> regards, > >> Jeroen > >> > >> -- > >> Jeroen Pulles > >> Xopus B.V., The Netherlands > >> > >> Xopus: The web based WYSIWYG XML Editor > _______________________________________________ > General mailing list > [email protected] > http://xqzone.com/mailman/listinfo/general > > > NOTICE: This email message is for the sole use of the > intended recipient(s) and may contain confidential and > privileged information. Any unauthorized review, use, > disclosure or distribution is prohibited. If you are not the > intended recipient, please contact the sender by reply email > and destroy all copies of the original message. > > > _______________________________________________ > General mailing list > [email protected] > http://xqzone.com/mailman/listinfo/general > _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
